What causes ADLSGen2ForbiddenError?

The storage account has public network access disabled — the integration runtime is blocked and needs a private endpoint. The storage account firewall is configured for selected virtual networks/IPs and the integration runtime's IP is not in the allowlist. The service principal or managed identity is missing the required RBAC role on the storage account or container

How do I fix ADLSGen2ForbiddenError?

Check the storage account's Networking settings in the Azure portal.. If public network access is disabled: configure a managed virtual network Data Factory runtime and create a private endpoint to access the storage account.. If selected virtual networks and IPs are configured: add the integration runtime's public IP to the storage account firewall under Networking → Firewall rules; for Azure IR IP ranges, see the ADF documentation.. If using trusted Azure services in the firewall: switch to managed identity authentication in the copy activity.. Ensure the service principal or managed identity has at least 'Storage Blob Data Reader' for source operations or 'Storage Blob Data Contributor' for destination/write operations.

High severitycredentials

Power BI Refresh Error:
ADLSGen2ForbiddenError

What does this error mean?

ADLS Gen2 access denied (403 Forbidden) in ADF or Fabric. The pipeline identity lacks RBAC roles on the container, or the storage firewall blocks the IR.

Common causes

1The storage account has public network access disabled — the integration runtime is blocked and needs a private endpoint
2The storage account firewall is configured for selected virtual networks/IPs and the integration runtime's IP is not in the allowlist
3The service principal or managed identity is missing the required RBAC role on the storage account or container

How to fix it

1Check the storage account's Networking settings in the Azure portal.
2If public network access is disabled: configure a managed virtual network Data Factory runtime and create a private endpoint to access the storage account.
3If selected virtual networks and IPs are configured: add the integration runtime's public IP to the storage account firewall under Networking → Firewall rules; for Azure IR IP ranges, see the ADF documentation.
4If using trusted Azure services in the firewall: switch to managed identity authentication in the copy activity.
5Ensure the service principal or managed identity has at least 'Storage Blob Data Reader' for source operations or 'Storage Blob Data Contributor' for destination/write operations.

Frequently asked questions

Does this error affect all users or just the dataset owner?

All users — scheduled and manual refreshes run under the credentials stored in the dataset settings, not individual user accounts.

Can expired OAuth tokens cause this error?

Yes — if the data source uses OAuth (SharePoint, Dynamics 365, Azure), the token expires periodically and must be re-authorized by the dataset owner.

Will this error clear itself after I update the credentials?

Yes — once you re-enter valid credentials in the dataset settings, the next refresh (scheduled or triggered manually) will succeed.

How do I know which dataset is using which credentials?

Go to Power BI Service → Settings → Datasets → Data source credentials for the affected dataset. Each connection shows the credential type and the account it's stored under.

Source · learn.microsoft.com/en-us/fabric/data-factory/connector-troubleshoot-azure-data-lake-storage